By Duncan Sutcliffe, Director of Sutcliffe & Co Insurance Brokers
The most recent cyber breaches survey shows that over the past 12 months, nearly a third (32%) of all businesses and nearly a quarter of charities reported a cyber incident. In May 2023, the CEO of the National Cyber Security Centre stressed the growing threat to organisations and urged them to consider purchasing cyber insurance.
A cyber attack could mean anything from a virus affecting how a computer operates to holding your data hostage in a ransomware attack. The worst case for most businesses would be an attack where you lose access to your systems and the data is shared publicly, which could lead to litigation, regulatory investigation, reputational damage and ultimately inability to continue trading.
What is cyber insurance?
Cyber insurance is there to assist an organisation, restore its systems and data, handle technical, legal and reputational issues and cover the costs and losses incurred following a malicious or accidental cyber or data incident.
Will my normal business insurance cover data breaches?
Most standard insurance policies specifically exclude claims associated with cyber or data incidents. This is why more organisations are purchasing specific cyber insurance policies or cyber extensions to their existing business insurance.
If you have professional indemnity insurance, it might cover some aspects of a cyber incident, such as litigation resulting from the loss of customer data, but that is only a fraction of what a specific cyber insurance policy covers. Likewise, a Crime policy might cover money stolen via cyber means but will not give the wide range of covers and services provided by a cyber policy. A Management Liability policy might give some cover for regulatory investigations but not much else.
What does cyber insurance cover?
Most cyber insurance policies will provide the services of technical experts who will attempt to locate the problem, stop the problem, and restore systems and data. The policy will include the assistance of lawyers who will handle litigation, regulatory breaches and contractual breaches and a crisis management team to ensure the incident is handled efficiently and with minimal reputational damage.
As well as these emergency response services, the policy may also cover things such as lost income, replacement equipment and software, notification of data subjects, credit monitoring and where permissible it will reimburse fines and penalties.
How does a cyber insurance claim work?
In the event of a cyber or data incident, the policy holder would call the 24 hour emergency helpline. The insurer will then appoint technical, legal and crisis management specialists to handle the incident from start to finish. Even if you have your own in-house IT, legal and HR teams, the support provided by the insurers will be invaluable because they specialise in cyber and data incidents and will be able to work alongside your people.
The insurance will also communicate with staff, customers and suppliers as necessary and handle legal, contractual and regulatory matters. Since the implementation of GDPR organisations have a requirement to inform the Information Commissioner of breaches to the Data Protection Act within 72 hours, giving details of what has happened, who has been impacted and what you are doing about it – this is something your insurance will be able to do for you. Prompt and clear notification of an incident and effective handling will reduce any regulatory penalties and reputational damage.
In the event of a breach, the policy holder would immediately be able to ring an emergency helpline. They would then receive the services of a cyber incident response team whose job is to find the problem, stop the problem, and restore their systems and data. They would also receive help from a legal team who would deal with any litigation and regulation issues. This could be anything from a breach of the Data Protection Act, to a breach of contract. Crisis management and PR support would assist them with communications and that might include support to notify data subjects. An example might be the discovery of a data breach that may have compromised clients. The insurance would close the breach, assess the extent of the breach and then notify the clients and the information commissioner. It will then deal with any regulatory and legislative issues. The crisis management team would help minimise any reputational damage.
Will it make a difference to my insurance if I have a cyber security certification?
Home insurance policies usually require you to have a minimum standard of locks on your doors and windows; in the same way, cyber insurers expect certain minimum standards that reflect the risk. for example, a small business operating only in the UK with a small amount of data will be required to have basic controls in place, whilst a large organisation operating internationally and handling vast amounts of sensitive data will be expected to have more robust security in place. Increasingly, insurance companies are asking organisations for evidence of cyber security certifications such as Cyber Essentials, this is because it has been proven that certified organisations are significantly less likely to suffer a serious cyber or data incident.
How much could a cyber attack cost?
Cyber claims come in all shapes and sizes ranging from the inconvenient to the catastrophic and are just as likely to impact sole traders as global firms. A real life example seen recently by the Cyber Essentials insurance broker, Sutcliffe & Co involved a small accountancy firm where an infected spreadsheet attached to an email contained malicious software called a ‘keylogger’. This enabled the criminals to watch every keystroke, giving them important information including passwords for online banking and other websites. The breach was quickly spotted but the incident ended up costing £180,000. Another incident involved a school which suffered a ransomware attack, no ransom was paid and the data and systems were recovered but the cost came to over £230,000.
For a small organisation, that’s any organisation with less than 50 employees, a small breach tends to come in at between £10,000- £30,000. A large breach for a small organisation tends to come in at between £60,000 and £80,000, but there have been some huge cases recently.
Cyber insurance is included as part of Cyber Essentials for UK based organisations that certify as a whole organisation with a turnover of less than 20 million. This cover gives up to £25,000 worth of liability.
The cyber liability insurance included in Cyber Essentials can cover the costs of essential emergency assistance for a breach and this can make the difference in keeping a company afloat. Organisations can extend this cover to a higher limit of indemnity to protect them against larger breaches.